Re: Future of krb5 authentication

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Heikki Linnakangas <heikki(at)enterprisedb(dot)com>, Dave Page <dpage(at)postgresql(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Future of krb5 authentication
Date: 2007-07-18 16:49:32
Message-ID: 469E449C.1090909@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost wrote:
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
>> But we're talking two different issues. Deprecating/removing krb5 is a
>> different thing from having GSSAPI and SSPI mutually exclusive or not.
>
> To the extent that keeping krb5 around implies a much lower burden on
> GSSAPI support under Windows, I disagree... If we need the MIT
> headers/libraries around to support krb5 anyway then I don't feel the
> fact that you can do SSPI w/o those headers/libraries to be a case for
> not supporting GSSAPI on Windows, we need them anyway...

I was talking from a technical perspective, not a maintenance one.

Your argument is at least party valid - though Dave has reported major
issues due to the gssapi library changing between versions. But those
are solvable.

The maintenance part of me suggesting getting rid of krb5 is the
smallest one. It being a non-standard protocol is more important, and
the fact that the exchange breaks the libpq protocol and is not
protected by SSL is the big reason.

But none of those more important reasons speak for removing krb5 - just
deprecating it. So I'm fine with doing that.

(and again, the SSPI vs GSSAPI on win32 discussion is a different one)

//Magnus

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Magnus Hagander 2007-07-18 16:51:55 Re: Future of krb5 authentication
Previous Message Stephen Frost 2007-07-18 16:43:05 Re: Future of krb5 authentication